diff options
author | Ben Pfaff <blp@nicira.com> | 2014-06-13 16:26:56 -0700 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2014-06-13 16:26:56 -0700 |
commit | d3120f048ed7e45d678c0e23ca7d3d79765954f6 (patch) | |
tree | 67e4bd061589d8956008af6b6721d87281ef1606 | |
parent | d7ab846ec79b8e10effe6f60c4157b93399ec6a7 (diff) | |
download | openvswitch-d3120f048ed7e45d678c0e23ca7d3d79765954f6.tar.gz |
stream-ssl: Enable TLSv1.1 and TLSv1.2.
The Open vSwitch SSL code was inadvertently enabling only TLSv1, not
later versions. This commit should fix it.
See https://www.openssl.org/docs/ssl/SSL_CTX_new.html
and http://www.postgresql.org/message-id/20131203213049.GA8259@gmail.com
for more information.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Reported-by: Abhinav Singhal <Abhinav.Singhal@spirent.com>
Acked-by: Gurucharan Shetty <gshetty@nicira.com>
-rw-r--r-- | lib/stream-ssl.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 0ca5b18df..045b4958f 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -940,9 +940,17 @@ do_ssl_init(void) RAND_seed(seed, sizeof seed); } - /* New OpenSSL changed TLSv1_method() to return a "const" pointer, so the - * cast is needed to avoid a warning with those newer versions. */ - method = CONST_CAST(SSL_METHOD *, TLSv1_method()); + /* OpenSSL has a bunch of "connection methods": SSLv2_method(), + * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these + * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 + * only, not any earlier *or later* version. The only exception is + * SSLv23_method(), which in fact supports *any* version of SSL and TLS. + * We don't want SSLv2 or SSLv3 support, so we turn it off below with + * SSL_CTX_set_options(). + * + * The cast is needed to avoid a warning with newer versions of OpenSSL in + * which SSLv23_method() returns a "const" pointer. */ + method = CONST_CAST(SSL_METHOD *, SSLv23_method()); if (method == NULL) { VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; |